MSDT Package Path Traversal Vulnerability - "DogWalk"

Industry: N/A | Level: Tactical | Source: 0patch

Security researchers have identified an additional vulnerability in Microsoft's Diagnostic Tool (MSDT) a package path traversal vulnerability named, DogWalk. The vulnerability has been known since 2020, documented, and reported to Microsoft by security researcher Imre Rad. Essentially the exploit uses the Windows Troubleshooting service diagnostic file, diagcab to save a malicious executable onto the victim's startup folder executing during the user's next login. As detailed by Mitja Kolsek from the 0patch team, "The vulnerability lies in the Microsoft Diagnostic Tool's sdiageng.dll library, which takes the attacker-supplied folder path from the package configuration XML file inside the diagcab archive and copies all files from that folder to a local temporary folder. During this process, it enumerates files in the attacker's folder, gets the file name for each of them, then glues together the local temporary path and that file name to generate the local path on the computer where the file is to be created." A patch for the vulnerability by Microsoft isn't likely given their dismissal of the vulnerability when Imre Rad had reported it in 2020.

Anvilogic Use Cases:

• Microsoft Diagnostic Tool "DogWalk" Package Path Traversal
• Execution from Startup Folder